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One of the remarkable features of quantum mechanics is the ability to ensure secrecy. Private 
states embody this effect, as they are precisely those multipartite quantum states from which two 
parties can produce a shared secret that cannot under any circumstances be correlated to an external 
system. Naturally, these play an important role in quantum key distribution (QKD) and quantum 
information theory. However, a general distillation method has heretofore been missing. Inspired 
by Koashi's complementary control scenario [M. Koashi, e- print arXiv:0704.3661 (2007)], we give a 
new definition of private states in terms of one party's potential knowledge of two complementary 
measurements made on the other and use this to construct a general method of private state distil- 
lation using quantum error-correcting codes. The procedure achieves the same key rate as recent, 
more information-theoretic approaches while demonstrating the physical principles underlying pri- 
vacy of the key. Additionally, the same approach can be used to establish the hashing inequality for 
entanglement distillation, as well as the direct quantum coding theorem. 



I. INTRODUCTION 

Appeal to physical concepts such as the uncertainty 
principle and entanglement formed the basis of the orig- 
inal security proofs of quantum key distribution (QKD). 
An uncertainty relation between complementary observ- 
ables inspired the first, Mayers's security proof of the 
BB84 protocol Q. Later, buildingon arguments from 
Lo and Chau @, Shor and Preskill Q showed how BB84 
could be understood as a virtual entanglement distilla- 
tion protocol, thereby using the monogamy of entangle- 
ment to ensure the privacy of the key. This method 
subsequently found wide application not only to spe- 
cific 0, [1,11,0] and generic [1] ideal protocols, but also to 
protocols including a description of realistic devices @. 
Recently, Koashi combined the two methods [l(| and for- 
mulated a simple security proof for BB84 with uncharac- 
terized detectors (Til ]. 

A somewhat different, more information-theoretic ap- 
proach adapts classical schemes of extracting secret bits 
from partially private data to the case in which the eaves- 
dropper holds quantum information. If X, Y, and Z are 
classical random variables held by two honest parties Al- 
ice and Bob, along with an eavesdropping third party, 
Eve, then a result by Csiszar and Korner states that by 
one way communication from Alice to Bob the honest 
parties can extract a key at a rate of I(X:Y)—I(X:Z) bits 
from asymptotically many such random variables 
Devetak and Winter showed how to distill secret keys 
from tripartite quantum states at the quantum version of 
this rate, obtained by replacing Bob's and Eve's classi- 
cal random variables with quantum states [l3| . Building 
on a result by Renner and Konig [14], Kraus, Gisin, and 
Renner established the security of generic QKD proto- 
cols opera ting at this rate using arbitrary universal hash 
functions [IMS Gil • 

The essential difference between the two approaches 
lies in the basis of privacy and the treatment of the eaves- 
dropper. In the latter, privacy is established directly. 



Alice and Bob employ privacy amplification to eliminate 
any information Eve may have about their prospective 
classical key, even if she holds quantum information. 
This general approach works in any kind of cryptographic 
setting, classical, quantum, or otherwise, provided Alice 
and Bob have some estimate of Eve's information. In the 
quantum setting, this estimate can be obtained by assum- 
ing Eve holds the purification of the quantum state held 
by Alice and Bob; that this limits her information is the 
reason QKD is possible from this point of view. 

In the former approach, the honest parties no longer 
concern themselves with the details of the eavesdrop- 
per, but instead concentrate on creating a quantum state 
that can produce a secret key when appropriately mea- 
sured. For example, maximal entanglement will ensure 
privacy of a key generated in any basis by the monogamy 
property mentioned above. Entanglement is sufficient for 
this purpose, but unnecessary; the broader class of states 
suitable for creating keys are termed private states [l8| . 
These are closely related to maximally entangled states, 
but may also include additional systems, collectively 
called the shield. The shield does not contribute directly 
to the key, but, as the name suggests, serves to block 
its correlations from would-be eavesdroppers. From this 
perspective, the success of QKD hinges on the existence 
of quantum correlations which implies that the results of 
certain measurements are completely secret. 

Each approach has its advantages. The physical pic- 
ture is perhaps more intuitive, tracing the origins of pri- 
vacy to physical concepts such as entanglement, comple- 
mentarity, and the uncertainty principle. On the other 
hand, the information-theoretic approach has led to more 
general proofs with higher lower bounds and lower upper 
bounds on the secret key rate [IS [H, [H, Ht| • 

These results, specifically rates of secret key distilla- 
tion, have also been used to derive some of the central 
results of quantum information theory, namely the hash- 
ing inequality on the asymptotic rate of entanglement 
distillation and the direct quantum coding theorem for 
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the quantum channel capacity. In principle, it should be 
possible to arrive at the same results in the physical pic- 
ture, as every key distillation protocol in principle leads 
to a private state distillation protocol by performing the 
operations coherently [19j. Put differently, the results 
from the information-theoretic viewpoint can be used to 
construct such distillation protocols, but these have not 
yet been fully understood from the more physical point 
of view. 

We provide the missing piece of the puzzle in this paper 
by formulating a new characterization of private states 
based on the uncertainty principle and using this to con- 
struct a p rotocol using Calderbank-Shor-Steane (CSS) 
codes [20l |2lj. which distills private states at the quan- 
tum Csiszar-Korner rate. The essential idea is that if and 
only if measurements on Alice's key system in either one 
of two conjugate bases can be perfectly predicted by the 
other systems available to the honest parties, then the 
joint state is a private state and Eve can have no correla- 
tion with the key. In particular, Bob's key system should 
be perfectly correlated with Alice's, while the shield may 
be used to predict her conjugate observable. 

Here, privacy of the key rests on quantum-mechanical 
complementarity, since the fact that either of the conju- 
gate observables could be predicted by the honest par- 
ties means that Eve has no correlation with either. This 
echoes the recent result by Koashi showing that se- 
cret key distillation is equivalent to a protocol involving 
complementary measurements he termed complementary 
control [22I , and indeed our work is inspired by these re- 
sults. 

By explicitly including Bob and the shield into the 
analysis, the means of private state distillation become 
clear: Alice merely needs to reveal some information 
about her key system such that the other systems could 
in principle predict both measurements. We shall demon- 
strate how the syndromes of a CSS code are ideally 
suited for this purpose, and that the resulting distilla- 
tion protocol essentially amounts to applying a slightly 
modified Holevo-Schumacher- Westmoreland (HSW) the- 
orem [23|,[24| twice. Constructing a distillation procedure 
in this manner, one focused on the shared quantum cor- 
relations, generalizes the quantum privacy amplification 
method of Deutsch et al. 25| and recalls the connection 
between quantum privacy and quantum coherence dis- 
covered by Schumacher and Westmoreland [26j | . 

This approach also gives a new proof of the hashing 
inequality, which states that the rate of one-way entan- 
glement distillation using many copies of the state pab 
is lower bounded by the coherent information I C (A)B) = 
S(B) — S(AB) (the same lower bound applies to the ex- 
tractable one-way secure key rate). As discussed in [27j . 
this result combined with quantum teleportation pro- 
vides proof of the direct quantum coding theorem, which 
gives a lower bound to the quantum channel capacity in 
terms of the coherent information. The main difference 
from previous proofs is that we bound Eve's information 
about the key by the amount of information that Bob can 



obtain about Alice's conjugate basis measurement, which 
then leads to an explicit construction of the decoder. 

The paper is organized as follows. First we give the 
new characterization of private states in Sec. |TT1 and 
show how quantitative statements of complementarity 
such as the entropic uncertainty principle of Maassen 
and Uffink [28| and a related mutual information trade- 
off given by Hall [2!| imply privacy of the key. We then 
extend this to the case of approximate private states in 
Sec. IIII1 explaining the relation to Koashi's complemen- 
tary control scenario. Section IIVI presents our main re- 
sults, which we divide into two parts. We first prove 
a one-shot distillation theorem showing how to use the 
structure of CSS codes for private state distillation, in 
a form useful as a building block for QKD security 
proofs. We then give a distillation protocol based on 
these ideas that achieves the quantum Csiszar-Korner 
rate. In Sec. [V] we use a coherent version of those ar- 
guments to prove the hashing inequality. In Sec. IVI1 we 
discuss relation to previous work, and we conclude in 
Sec. IVIll with a summary and open problems. 



II. EXACT PRIVATE STATES 

A perfect secret key shared by Alice and Bob is a 
uniformly distributed random variable about which the 
eavesdropper Eve has zero information, or more formally, 

K ABE ._ fl pA g pB^ p E for some p E where 

Pk ■= \k)(k\ is the projector onto "standard" basis ele- 
ment \k). Note that this choice of basis is arbitrary for 
each system. Although we use a quantum-mechanical 
description, note that Alice and Bob's systems are essen- 
tially classical; states of this form are sometimes termed 
ccq states to reflect this fact. 

Private states, meanwhile, are quantum states for 
which standard basis measurements by Alice and Bob 
yield a perfect secret key. When producing a key from 
an alphabet of d letters, the key registers A and B are 
d-dimensional quantum systems. Additionally, they may 
possess some auxiliary "shield" systems that are not di- 
rectly involved in creating the key. These systems are 
nevertheless important as they are not held by the eaves- 
dropper and can shield the key correlations from her. 
Although the shield may have several parts distributed 
between Alice and Bob, here we lump them together into 
the system labelled S. 

In contrast to the explicit reference to Eve's system in 
the definition of secret keys, the privacy of a state j ABS 
can be determined solely from the systems held by Alice 
and Bob. The canonical example of such an effect comes 
from a maximally entangled state, which by virtue of 
the monogamy of entanglement creates secret keys upon 
measurement. Though there is no shield in this example, 
it makes the point that the quantum correlations between 
Alice and Bob's systems are enough to establish secrecy 
of the key. 
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Private states are in fact closely related to maximally 
entangled states, as shown by To recapitulate their 
result, first define a twisting operator to be a controlled 
unitary of the form U ABS := J2jk P f ® P k ® V jk for an y 
arbitrary unitaries Vf k . Then Theorem f of [18| states 
that ry ABS is a private state iff it is of the form 

where £ s is an arbitrary state and Q AB is the density 
operator associated with the canonical entangled state 
\<p AB ) : = ^Efc=o \kk) AB ; note that actually only the 
Vkk are relevant. Clearly, measurement of the A and 
B systems results in a secret key since the same key 
would result if the state were first untwisted, and Eve 
cannot distinguish the cases in which the state has been 
untwisted or not. Conversely, purifying a secret key and 
using the fact that Eve's marginal state is fixed along 
with the fact that purifications of a fixed marginal are re- 
lated by unitaries on the purifying system, i.e. Uhlmann's 
theorem [30, |3l| , guarantees the form of Eq. JTJ) . 

With the help of the uncertainty principle we can for- 
mulate a different characterization of private states that 
emphasizes the relation of privacy to complementarity 
and does not involve statements about Eve's system. 
Consider a hypothetical measurement by one party, say 
Alice, on her key qubit in a basis conjugate to the stan- 
dard basis. In this context, "conjugate" refers to any ba- 
sis whose elements give random outcomes when measured 
in the standard basis. A general conjugate basis has el- 
ements |a;) := ^ J2k=o el9xfc 1^) f° r some se t of 6 x k 6 K 
such that i Y,k e l(f, ^~ e « fc) = S xy . 

Due to the conjugate nature of the \k) and \x) bases, 
complementarity places constraints on the predictability 
of both measurements. In particular, the entropic uncer- 
tainty relation of Maassen and Uffink [28| states that, for 
an arbitrary state p A , 

H(Z A )+H(X A )>log 2 d, (2) 

where Z A and X A are any nondegenerate observables 
having eigenstates \k) A and \x) A , respectively, and H is 
the Shannon entropy of the outcome probabilities, mea- 
sured in bits. Hence, if the outcome of Z is certain, then 
the measurement of X must be random and vice versa. 

To determine how much information is simultaneously 
available, we can include the measurement devices them- 
selves in the description, following Hall and Cerf et 
al. [1^, [13] ■ Whatever information can be stored in sep- 
arate devices is clearly simultaneously accessible, so con- 
sider a state p ACD and POVMs A c and T D that are 
restricted to systems C and D, respectively. Denoting 
the classical conditional entropy of Z A given the mea- 
surement result T D by H(Z A \T D ), we have 

Lemma 1 (Complementary Information Tradeoff). For 

a tripartite quantum state p , conjugate observables 
Z A and X A , and arbitrary measurements A c and T D , 

H(Z A \T D )+H{X A \A c )>log 2 d (3) 



where d = dim (^4). 

Proof. Consider arbitrary measurements A c and T D . 
Since these can be performed independently simultane- 
ously, we can define the conditional marginal state p A k := 

Tr CD [AfT B p ACD }/p jk , {orp jk := Tr[Af If p ACD }. Mea- 

surements of Z A and X A on each of those states 
must obey Eq. (J2J), which in the current context reads 
H(Z A \T D =k,A c =j) + H(X A \T D =k,A c =j) > log 2 d. 
Averaging over the measurement outcomes and using the 
fact that conditioning reduces entropy, we obtain the de- 
sired result. □ 



Note that no restriction is placed on the ability of a 
single system to be correlated with two complementary 
Alice observables, only that the correlations not be simul- 
taneously realized. Such is the case when p AB is max- 
imally entangled; in the EPR state, for instance, Bob 
can predict either the position or momentum of Alice's 
system, but not both at the same time. 

The information tradeoff bears directly on the ques- 
tion of privacy, as conjugate information can be used to 
exclude the eavesdropper's information about the key. 
Define the key to be the outcome of Alice's observable 
Z A , let Eve hold D, and suppose that system C = BS, 
i.e. the remainder of the systems under Alice and Bob's 
control. Then if some measurement A BS of the BS sub- 
system can predict the outcome of Alice's conjugate ba- 
sis observable X A , Eve can have no information about 
the key: H(X A \A BS ) = implies H{Z A \T E ) = \og 2 d. 
Thus, complementarity assures privacy of the secret key 
without directly making statements about Eve's system. 
This line of thought leads to the new characterization of 
private states: 

Theorem 1 (Exact Private States). j ABS is a private 
state with (nondegenerate) key observables Z A and Z B 
iff for some measurement A BS 

(a) H(Z A \Z B ) = 0, and (4) 

(b) H{X A \A BS ) = 0. (5) 

Proof. Start with the reverse (if) implication and sup- 
pose ry ABS satisfies the two conditions. By the above 
argument, condition (b) implies H(Z A \T E ) = log 2 d and 
therefore H(Z A ) — log 2 d, whence Eve's marginal states 
must be independent of the key. As (a) implies the key 
is perfectly correlated, ^ ABS must be a private state. 

To prove the forward (only if) implication, we con- 
struct the measurement A BS from the twisting operator 
U BS = J2k Pk ® Vkk- First, condition (a) follows imme- 
diately for j Abs a private state. The joint probability 



4 



for the conjugate measurement is given by 



p xy = Tr[ 7 ABS P A 
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where P* B is the conjugate of P B in the standard 
basis. Condition (b) follows by setting A BS := 



U 



BS 



(p; b <g> l 5 ) W BS so that Pxy 



□ 



From this viewpoint, privacy of the key follows from 
the ability of one part of the honest players' systems to 
predict either the key or a complementary observable of 
the other part; here we focused on Alice's system, but 
clearly the same result holds for Bob's. 



III. APPROXIMATE PRIVATE STATES 

Of course, a realistic QKD protocol can never produce 
a perfect secret key or a perfect private state and instead 
strives to create a good approximation. But what is a 
good approximation? Because the key is meant to be 
used in arbitrary further cryptographic applications, the 
definition of approximate must be composable so that se- 
curity statements about a whole cryptographic process 
can be made by individually examining the constituent 
parts. In this framework, a sufficient notion of approx- 
imate secrecy is furnished by the probability that the 
actual key could be distinguished from an exact secret 
key. According to Helstrom's theorem [33[ , the probabil- 
ity of distinguishing between the two quantum states p 
and a is bounded by ^ + jTr|p — <r|. Hence the trace 
distance ^Tr|p — er| is the important quantity. This mo- 
tivates the definition that a shared e-secret key, where e 
is called the security parameter, is any p ABE that satis- 
fies Ti\p ABE — k abe \ < 2e for some perfect secret key 

k abe MM- 

We could analogously define e-private states to be 
states that are e-close to exact private states in trace 
distance. These will lead to e-secret keys since the mea- 
surement that creates the key is a quantum operation, 
and the trace distance can only decrease under quantum 
operations. However, the converse is not true: States 
not e-close to a private state may nevertheless still gen- 
erate e-secret keys. Hence a better approach is simply to 
say that tl) ABS is an e-private state when the key mea- 
surement leads to an e-secret key, with the eavesdropper 
system E defined as any purifying system of ^} ABS . 

Intuitively, the new characterization of exact private 
states should be extendible to the approximate case; if 



Alice's key and conjugate measurements are almost per- 
fectly predictable by the BS systems, then the shared 
state ought to produce a good approximation of a secret 
key. Defining "almost perfect predictability" in terms 
of nearly zero conditional entropy, or equivalently nearly 
maximal mutual information, will not suffice, as this ap- 
proach is not composable [35(. Instead, the following two 
theorems show that an alternate definition of approxi- 
mate private states can be given in terms of concrete 
measurements having small probabilities of error. The 
first says that if Bob is able to distinguish Alice's state 
measured in either one of two conjugated bases, then they 
share an e-private state, while the second is the converse. 
Only the first theorem is needed when constructing a se- 
curity proof, but we provide both for completeness and 
to highlight the connection between our framework and 
Koashi's complementarity control scenario [221 ] . 

Theorem 2. A state tp ABS with nondegenerate key ob- 
servables Z A and Z B is an (e z + ^fe^)-private state if 
there exists a conjugate observable X A and correspond- 
ing measurement A such that 



p c = ^[(Pf®Pk)V BS ]<e 



Pc 



]>>[(P^Af)^ 



< e. 



(6) 
(7) 



x^y 



Theorem 3. // ip ABS is an e-private state with nonde- 
generate key observables Z A and Z B , then for any con- 
jugate observable X A there exists a corresponding mea- 
surement A BS such that 



Pc = £Tr[(P>Pf)^] <e 

p e = 5>[(P^Af)^ SS 
x^y 



< 2e-e 2 . 



(8) 
(9) 



As the proofs are somewhat technical, we defer them to 
Appendix |X] 



IV. PRIVATE STATE DISTILLATION 

With this characterization of approximate private 
states, it becomes simple to construct a procedure to dis- 
till private states from an arbitrary input. Alice simply 
needs to reveal enough information about her system so 
that the states of the B and BS systems can be reli- 
ably distinguished. The amount of information she must 
reveal depends on the details of the state, and no use- 
ful answer can be given in the general case. But when 
Alice and Bob share asymptotically many copies of an 
arbitrary state ^ ABS , two applications of the HSW the- 
orem give the distillation rate, which we show equals the 
quantum Csiszar-Korner rate. 

However, this distillation scenario contains the ad- 
ditional subtlety that the information Alice needs to 



5 



reveal ostensibly comes from noncommuting measure- 
ments. Avoiding this problem is where CSS error- 
correcting codes come into play, as they enable the side 
information to be properly defined in terms of commut- 
ing variables and also define the form of the key sys- 
tem of the distilled state. CSS codes were used by Shor 
and Preskill 0] in their proof of the BB84 protocol for 
precisely the same purpose, and the following distilla- 
tion scheme can be understood as an extension of this 
method to arbitrary private states. This section contains 
the main results of this paper, which for clarity are sub- 
divided into two parts: How the CSS codes enable distil- 
lation when Alice's state has dimension d n , and at what 
rate can private states be distilled from many copies of 
an arbitrary resource state. 



A. One-shot distillation 

First we recall a few facts about CSS codes. A CSS 
code encoding n — m z — m x qudits into n is defined by 
a set of m z + m x (commuting) stabilizer operators, m z 
operators of the form Z s = Z Sl <g) Z S2 ® • • • ® Z Sn for 
< Si < d - 1, and m x of the form X t = A' 1 ® X t2 ® 
■••(g) A*™ for < U < d — 1. We have implicitly used 
the definition s = (s\, . . . , s n ) and the notation that an 
operator raised to a string is simply the product of the 
operators raised to the elements of the string. To simplify 
notation, we adopt the following: |k) = |fci) (g • • • (g \k n ), 
|</>k) = l^fci)® ' ' -® !</>/=„)> and P k for P kl <E> • • •®i\„ and 
similarly for P x in the conjugate basis. 

The first operator set, the Z-type stabilizers, defines 
a code correcting errors in the standard basis (dit er- 
rors, or amplitude errors), while the second, the X- 
type stabilizers, defines a code correcting phase errors. 
Here, and henceforth, the operators X and Z are the 
generalized Pauli operators in d dimensions [IB], given 
^ 5 : = Et= " k \k)(k\ and X := Y%^\k+l)(k\ = 

J2k=o L0 ~ h \ x )( x \i where lu :— e^r. 

Measuring the stabilizers yields the amplitude and 
phase syndromes a. = {ot\, . . . ,a m ^) and (3 = 
. . . , (3m x ), to which we associate projectors n a and 
lip, respectively. Since the stabilizers are products of 
Zs or As, these projectors can be expressed as Il a = 
Eke[ a ] p k and Hp = J2 x e[/3]^- Meanwhile, the [a] 
and \/3] are equivalence classes of standard and conju- 
gate basis states that all share the syndromes a and f3, 
respectively. 

Commuting with the stabilizers (but not included in 
them) are the logical or encoded operators Zj and Xj, 
one pair for each of the n — m z — m x encoded qudits. 
Crucially, these may also be chosen to be of Z and 
X type, respectively, an assumption we make through- 
out. Let A and \x be the measurement outcomes of 
all the logical operators {Zj | 1 < j < n — m x — m z } 
and {Xj | 1 < j < n — m x — m z }, respectively, and 



projectors for [A] and [fi] the corresponding equivalence 
classes. 

The idea behind one-shot distillation is for Alice to 
measure the syndromes a and (3 on her system and re- 
veal a to Bob. If the CSS code is properly chosen, this 
information should make it possible to distinguish the 
corresponding marginals of his key system and the shield, 
at which point Theorem [2] would apply to key observ- 
ables Zj and conjugate observables Xj. Bob only needs 
a, since the mere existence of the conjugate basis mea- 
surement implies the secrecy of the key. In QKD, mea- 
suring the encoded Z operators is equivalent to privacy 
amplification, and the degrees of freedom in defining the 
logical operators Zj give rise to different families of pri- 
vacy amplification functions. Here we present a one-shot 
private state distillation theorem useful for QKD security 
proofs [59l | . 



Theorem 4 (One-Shot Distillation). Let Alice and Bob 
share an arbitrary state \V ABS with dim(A) = d n and 
purification \^) ABSE = Ek V^kl k ) A |^k) BS£; - Suppose 
there exists a CSS code with m z Z-type stabilizers and 
m x X-type stabilizers whose syndromes ol and f3 are as- 
sociated with measurements A B k and A BS X for which 

Po = E E Tr W ® <k)n^ AB ] < e z , (10) 



Pe 



EE Tr [(^^A| s y )H^^ 



< e. 



(11) 



Then by one-way communication from Alice to Bob they 
can distill an (e z + y/e^) -private state of size d n ~~ mz ~ m * 
whose key is the encoded value A. 

Proof. Suppose that Alice measures the syndromes a and 
j3 and makes a public. The post-measurement state is 
^assert Y Ja , p nifL A \^) ABSE \a) R \f3) T where R 
is a new public register shared by all parties but T is held 
by Alice. Coherently measuring A^ k with the partial 
isometry \J BB ^ R produces 



|* a ) :=U BB ' R \^) =EV A ^® P «l VI/ i>^ S£i?T l k ) B2 - 

Bob can determine the values of for all j with error 

3 

probability 



AB 2 
2 



A^A' 



n A := Eke[A] p k and n„ := £ 



P x the associated 



- EE E Tr[(H^Af ik )n^Tj* 

A^A' a, p ke[A'] 

= EE E Tr[(H^Af, k )H^] 

A^A' a ke[A'] 

<EE Tl -[(^^ A ik)n^ s ] 

a j^k 



AB 
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where we have used [ft^, Hg] = and J2p Hjg = lA Al- 
ice's conjugate basis measurement can be accurately pre- 
dicted by first undoing JJ BB2R and then measuring Af y. 
An entirely similar calculation shows that the resulting 
error probability is less than e x . Hence, by Theorem [2] 
^2 is an (e z + y / e^')-private state, whose key subsystems 
are the encoded subsystems A and i?2- □ 

As stated, the above theorem only involves one-way 
communication. However, it can easily be generalized to 
the sorts of two-way error-correction protocols presented 
in [35|. The idea is that, instead of making only one 
measurement, Alice and Bob execute successive "partial" 
measurements of the syndrome of the dit error correction 
code, each of which is followed by a round of two-way 
classical communication. Each measurement is still as- 
sociated with a set of Z-type operators, but the Z-type 
operators of the ith round of measurement could depend 
on all their previous outcomes. One-way error correc- 
tion can be interpreted as the case in which the Z-type 
operators are chosen independently. 



that the Z-type and A-type stabilizers give rise to uni- 
versal hash functions (for a definition, see Appendix iBj) . 
and let m z = [H(Z A ) - I(Z A :B) + AS] and m x = 

1^ [H(X A )^ a - I{X A :CBS) i>a + AS] for a fixed 6 > 0. 

Theorem [7] implies that the measurements A^ k con- 
structed from these hash functions can predict Alice's 
key with average error probability (e z c )c < 6 • 2~ nS . 
Similarly, the average error probability of the measure- 
ments A^ s in predicting the conjugate basis observable 

is (e x . c )c < 6 • c 2r nfr ' . Now apply Theoremg]to each CSS 
code, where the shield is the combined system CS, and 
average over the different codes. Using the concavity of 
the square root and the fact that H{X A )^ a = log 2 d, it 
follows that Alice and Bob can create an e-private state 
having n[I(Z A :B) + I(X A :CBS) 4>a - H{Z A ) - 85} key 

bits, for e < (e z , c ) c + VK7k < Q^ n5 



V6 ■ 2- 



□ 



By Lemma H P^ ABS ) > I(Z A :B) - I(Z A :E), so 
this method achieves the same yield of secret key as the 
random coding method used by Devetak and Winter [l3| . 



B. Achievable distillation rates 

Now we turn to the achievable distillation rates. Define 
an (n, e) distillation protocol for ip ABS to be a series of 
local quantum operations and classical communication 
such that application on xp^ 55 = (^ABS^n p roa ; uces an 
e-private state. If there exists an (n, e n ) protocol for every 
n, producing a log 2 r„-bit approximate private state, such 
that limn^oo e„ = 0, then the fractional yield of private 
outputs to raw inputs defines the achievable rate 



R 



lim 

n — >oo 



l0g 2 T n 



(12) 



Finally, the supremum of achieveable rates is called the 
one-way distillable privacy P^{ip ABS ) of the state ip ABS . 
In the following, we use the label ip a where necessary to 
denote that the entropy or mutual information is com- 

AC 13 S E 

puted using an extended version V>„ of the state 
ip ABSE . Using the previous result and a slightly modi- 
fied version of the HSW theorem given in Appendix [5J 
we quickly get the following: 

Theorem 5 (One- Way Distillable Privacy). Given con- 
jugate observables Z A and X A , consider an arbitrary 
state i/j ABS and its extension ip ACBS obtained by copying 
the Z A basis of A to C. Then 

P^(ip ABS ) >I(Z A :B) - H{Z A ) + I(X A :CBS) i , a . 

Proof. Without loss of generality, we can assume that 
d = dim(A) is prime by appending additional \k) A for 
which the corresponding weights p k = 0. Let C be under 
Alice's control so that she can perform the copy oper- 
ation and consider y ACBS = (ip ACBS )® n . Pick a CSS 
code c from the distribution C given in Appendix [Cl so 



Lemma 2. For conjugate observables Z and 
X A and a state of the form \ij) a ) ACBSB = 
Y, k ^\k) A \k) c Wk) BSE , I(X A :CBS) = H(Z A ) - 
I{Z A :E). 

Proof. Rewrite \^ a ) ACBSE as ^2 X \x) A \ , d x ) CBSE 

for \V X ) CBSE = Z^Y, k ^\k) C Wk) BSE . Hence 
S{^ BS ) = S(<&$ BS ) for all x. From the Schmidt de- 
composition, S(#g BS ) = S(6$) = S(E) and S(CBS) = 
S(AE). Therefore, 



I(X A :CBS) = S{CBS) - ^ q x S(^ BS ) 

X 

= S(AE) - S(^ BS ) 
I(Z A :E). 



k 

H(Z A ) 



□ 



An immediate corollary is that the distillable privacy of 
an arbitrary state \p AB without a specified shield system 
must be no less than the coherent information I C (A)B) := 
S(B) — S(AB); this can be seen as a weaker version of 
the hashing inequality, which we will consider in the next 
section. 

Corollary 1. P^(^ AB ) > I C {A)B). 

Proof. Pick any observable Z A and define the computa- 
tional basis of A as its eigenbasis. Consider the purifi- 
cation \^) ABE = Y,k VPk\ k ) A \ ( fk) BE of ^ AB , and note 
that I C (A)B) = S(B) - S{E) = I(Z A :B) - I{Z A :E), 
where the last equality follows from the fact that 
S(ip B ) — S(ip E ) for all k. From Theorem[5]and Lemma[2] 
P^ AB ) > I(Z A :B) - I(Z A :E) = I C (A)B). □ 
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V. HASHING INEQUALITY 

Now we turn to the related question of entanglement 
distillation and show how the above analysis can be mod- 
ified to prove the hashing inequality on the one-way dis- 
tillable entanglement E^(tp AB ), which is defined anal- 
ogously to P^(i(j abs ). There are two main differences 
with the methods used in the preceding section. The 
first is that for Theorem [SI it does not matter how the 
shield is split between Alice and Bob, but of course for 
entanglement distillation Alice and Bob must be able to 
locally untwist the private state. The difficulty comes 
from the first step, in which Alice copies her key to sys- 
tem C, which was then considered part of the shield. 
Here, we avoid this problem by showing that after Bob 
makes the measurement, he effectively has system 
C . Thus, he has the entire shield, and can perform the 
untwisting operator himself. 

The second difference stems from the definition of ap- 
proximate private states as states that yield approximate 
secret keys when measured. Because we must now per- 
form all measurements coherently, these results are not 
directly applicable. Modifying them is possible, but we 
prefer to give a more direct argument, which has the side 
benefit of yielding a better approximation parameter. 

Theorem 6 (Hashing Inequality). E^(^ AB )>I C (A)B). 

Proof. The proof proceeds by successively performing the 
A^ and A^ measurements coherently and showing how 
the result is close to an entangled state. Purify ip AB to 



\ABE 



= EVoVnlk)^)^. Without loss of gen- 
crality, we can assume that d = dim (A) is prime by ap- 
pending additional states |fc) for which pk — 0. Now 
define \*) ABE := (\^) ABB )^ = £ k ^k)^)^, 
where p k = Pk x Pk 2 ■ • -Pk„- 

Suppose Alice picks a CSS code c from the distribu- 
tion C described in Appendix [C] with m z Z-type and 
m x A-type stabilizers, measures the dit and phase error 
syndromes a and /3, and declares them publicly. This 
transforms the state into 



ABE 



oc,(3) R , 



(13) 



a,f3 

where R is a publicly-held register. 

Let m z = j^- d [H(Z A )^ - I{Z A :B)^ + 45] for some 
arbitrary 6 > 0. By Theorem [71 there exists a measure- 
ment A^ that predicts Alice's key with error probability 
e z>c such that (e 2)C ) c < 6 • 2- nS . Perfor ming this mea- 
surement coherently yields 



|* 2 ) := J2 n^n^A^ k |*)^|k) c |a,/3)«, 

k,a,/3 

where the output is stored in system C . This state is 
essentially identical to the one in which Bob simply has 
a copy of Alice's key, 

|*' 2 ):=^H^|* a )^|a,/3) fl , (14) 

a,0 



where \^ a ) = l^a)®", as defined in Theorem [5j except 
that Bob holds C. Computing the fidelity, we obtain 



. BE 



W 2 > = E p k (^l v /Af k |^ k ) J 

ct,k£ [a] 



a,kG [a] 

using the fact that \fX > A for < A < 1. Since 
the fidelity bounds the trace distance via Tr|p — o~\ < 
2y/l -F{p,a) 2 [13, we have Tr|tf 2 - %\ < 2^2^. 

Now rewrite \%) as \%) = E x \/^I S ) j4 I ,? x) BCB and 
let = T ^- d [H{X A ) i , a -I{X A :BC) i , a +A5\. By 

Theorem there exists a measurement A^ c that can 
predict the outcome of a conjugate measurement on A 
with error probability z x c such that (e x ^ c )c < 6 • 2~ n5 . 
Starting from \^' 2 ), suppose Bob coherently measures Ap 
and store the result in D. This gives 



3/ •— / 4 



%):= Y j nili A Jk B ^ a ) ABCE \y) D \ a ,f3) R 



As before, this is essentially the same as the state \^) 
in which Bob has a copy of Alice's string x in system D, 



1*3) = E v^<^) A \^) D \^) BCE \^^) R , (15) 

x,ck,/3 

and a similar calculation to the one above shows that 



Tr|*' 3 - < 2 v /2i^ 



Implicit in rewriting \^' 2 ) using Alice's conjugate basis 
is the fact that ^\^) BCE = £ k y/ptffik) \k) c \^) BE . 
Substituting this in Eq. (jT5J) gives 

1 



l*3> 



x.,ot.{3 



TL A Il A \x) A \3t)»\ a ,f3) 



R 



E 

k 



Pk W 



- k \kf\^) BE . 



Bob can now decouple subsystem BCE by using the 



operator U 



BD 



P B , and the result is 



an entangled state in the encoded subsystem AD, 
1 



1*2) 



u BD m 



ct,/3 

E 

k 



AD \*,(3) R 

K\W\^)" E . (16) 



Since they never hold exactly |\& 2 ) or I ^3)1 Alice and 
Bob only end up with a good approximation to an entan- 
gled state. To determine how good, we can use proper- 
ties of the trace distance. Call the unitarics implement- 
ing the coherent measurements U B and U BCD , respec- 
tively, and define W BCD = U BD U BCD U BC . Applying 
W to ^1 generates ^4, and by the triangle inequality 
and unitary invariance of the trace distance, we have 



Tr|* 4 -*4'| < 2(^2^+^/2^). 



(17) 
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The next step is to average over all CSS codes. Using 
the concavity of the square root and the fact that the 
trace distance cannot increase under the partial trace, 
we obtain 

Tr|*f B - <P AD \ < 8V3-2-"- 52 . (18) 

Finally, we must show that the resulting rate 
is given by the coherent information. Since 
H(X A )^ a = log 2 d, (n - m x - m z )log 2 d = 
n [l(Z A :B)^ + I(X A :BC)^ a - H(Z A )^ - 86] . By 
Lemma 03 I{X A :BC) M , a = H{Z A ) 4 , a - I{Z A :E)^ a . 
Clearly H(Z A )^, = H(Z A )^ a and similarly for the 
quantum mutual information of Z A with B or E. Since 
I{A)B)ip a = I{Z A :B) 4 , - I(Z A :E) 4 ,, as in Corollary [Q 
(n — m x — m z ) log 2 d = nI c (A)B)^ — 8nS, which concludes 
the proof. □ 

VI. RELATION TO PREVIOUS WORK 

The present work is an outgrowth of earlier work on 
private states by one of us [38j and draws much inspi- 
ration from the work of Koashi [l(| [Hj]. In particular, 
Theorems [5] and [3] are closely related to the first two the- 
orems of [22J , in which Koashi defines the two protocols of 
the complementary control scenario. It is easy to see that 
our condition on the predictability of the key is equiva- 
lent to his condition on the primary protocol, and that 
our condition on the measurement A BS implies his con- 
dition on the secondary protocol. Therefore, Theorem [2] 
is a corollary of the first theorem of [22] . Although we 
were not able to show that the condition on the secondary 
protocol implies our condition on the measurement A BS , 
Theorem [3] can be proven using arguments very similar 
to those found in [22| . 

Meanwhile, Theorem0]corresponds conceptually to the 
inclusion of the complementary control scenario in the se- 
curity analysis of [10( , with several important differences 
in the details. First, we do not consider parameter esti- 
mation at all, while [Tc| presents a full security analysis 
for BB84. To complete a security proof using our re- 
sults, one would need to determine what quantum states 
Tp ABS are compatible with the output of the parameter 
estimation phase of the protocol in order to apply Theo- 
rems S] and [3J This can be done with an estimate of the 
quantum channel noise obtained indirectly from the ex- 
perimental measurements. The advantage of Theorem 0] 
is that it could be used to prove the security of a more 
general set of QKD protocols, even those including pre- 
processing. Second, assumes that Bob's conjugate 
measurement is independent of /3, with the supplemen- 
tal information supplied only after the measurement is 
made. In our method, Bob uses the syndrome (3 to con- 
struct the measurement A^ s . Generally, the latter is no 
less powerful than the former, and avoids the pitfalls of 
locking of accessible information [39]. In Appendix [Dl we 
provide a concrete example in which allowing A§ to de- 



pend on (3 yields a better security parameter than if it 
were independent. 

The smaller difference concerns the step in of hav- 
ing Alice encrypt the amplitude error syndromes using a 
preshared secret key. This removes the need to use a CSS 
code [!(| , but requires a key of size 0(n log d) bits [in ad- 
dition to the authentication key, of size (9(logn • logeQ] 
and makes a small but practically significant difference 
for QKD. Theorem 3] can be modified to encrypt the syn- 
drome a of an arbitrary (not necessarily linear) code as 
follows. Supposing Alice and Bob already share a per- 
fect secret key I of the same size as the amplitude er- 
ror syndrome a. Alice publicly transmits a. + £ to Bob. 
He recovers ot using I and can then make the A^ mea- 
surement. The system R storing the value of a is un- 
known to Eve and can be decoupled with the operator 
® {X R )~ a since this does not affect the key mea- 
surements. We can now apply Theorem 0] directly on the 
resulting correlated state. Using these ideas, one can eas- 
ily show that the final security parameter would have a 
similar form with or without encrypting of the dit error 
syndrome. 

By adapting Koashi's complementarity scenario, we 
are able to construct a means for distilling private states 
from arbitrary resource states at a rate given by the quan- 
tum Csiszar-Korner bound. This complements the result 
of Devetak and Winter [27], showing more directly how 
physical (quantum-mechanical) phenomena are respon- 
sible for the privacy of the key. As mentioned before, 
it must be possible to view their result as private state 
distillation by performing the operations coherently, and 
indeed a twisting operator plays an important role in 
their derivation of the hashing inequality, specifically the 
operator U defined on p. 8 of |l3|. Mathematically speak- 
ing, the difference in the two approaches can be traced to 
the origins of this operator: here from the measurement 
used in the HSW theorem to determine the outcome of 
Alice's conjugate measurement, there from the quantum 
Chernoff bound via Uhlmann's theorem. 

A different approach to private state distillation is 
taken in [4l|, whose ultimate goal is to show that key 
distribution is still possible over channels whose quan- 
tum capacity is zero, rather than give rates on private 
state distillation. The distillation portion of the proto- 
col accepts only certain inputs, namely twisted versions 
of noisy entangled states, and thus the distillation pro- 
cedure works by untwisting the state and then applying 
entanglement distillation. The difficulty in this scheme 
then lies in determining the optimal combination of twist- 
ing operator and noise such that the given input can be 
expressed in this form. As such, no closed-form distil- 
lation rate expressions can be given, and happily this is 
not relevant to their goal. 

Our method of private state distillation gives a new 
proof of the hashing inequality, which then also implies 
a new proof of the direct quantum coding theorem. This 
version differs from previous work [l3|, |42|, H, Hf| |46| . 
[47} in several ways, mainly by the explicit use of CSS 
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codes from the beginning and the fact that the decoder 
is constructed from the measurement used in the HSW 
theorem, rather than by decoupling Eve and appealing 
to Uhlmann's theorem. This construction resolves the 
open question raised in the conclusion of 47| as here the 
decoder is directly linked to the bit and phase syndromes 
of the CSS code. 

Finally, we would like to point out the connections to 
recent work on complementary channels. In (48l. l49l [50|. 
it has been shown that a correctable channel implies that 
the complementary channel is private, and vice versa. 
Theorems [2] and [3] are essentially a static version of this 
(dynamic) result, applied to bipartite states instead of 
channels and starting from different assumptions. 



VII. CONCLUSION 

We provide a characterization of private states in terms 
of a complementary information tradeoff and generalize 
the security proof methods based on entanglement distil- 
lation and the uncertainty principle. This generalization 
is formulated as a one-shot distillation theorem (Theo- 
rem [4} . Exploiting this framework, we give alternative 
proofs of the quantum Csiszar-Korner bound on distill- 
able secret key (Theorem [S] and Lemma [5]) and the hash- 
ing inequality on distillable entanglement (Theorem [5]) . 

One of the main applications of this work is of course 
to QKD, particularly proofs for realistic protocols. These 
involve more physical systems than just those describ- 
ing the keys and the eavesdropper, and one challenge has 
been determining how to use information the honest par- 
ties have about such systems. Including the shield system 
into the security analysis and picturing the QKD process 
as private state distillation gives a general method for do- 
ing so, a point also emphasized by Koashi [10| . The im- 
portance of these extra systems is how they contribute to 
knowledge of hypothetical conjugate basis measurements 
made on the key system of either party. 

This is dramatically exemplified by Koashi's security 
proof of the BB84 protocol with uncharacterized detec- 
tors, which proceeds by noting that this protocol directly 
furnishes Bob with an estimate of Alice's conjugate basis 
result, regardless of the detector details. Our results pro- 
vide a more detailed and complete picture of how shield 
systems contribute to privacy, which should expand the 
range of protocol and device imperfections that can be 
treated. For instance, it would be interesting to inves- 
tigate the unconditional security of QKD protocols that 
are not permutation invariant (51, 52]. This possibility is 
particularly appealing since Theorem [4] does not require 
a permutation of the input state nor does it depend on a 
particular method of parameter estimation. We plan to 
examine these issues and other implications for realistic 
protocols in an upcoming publication. 

As a final remark, we note that our approach to the 
hashing inequality is closely related to (47|, which also 
makes use of an information-uncertainty relation. In 



fact, that relation is simply the "quantum" version of the 
complementary information tradeoff, Lemma[TJ replacing 
the classical conditional entropy H with the classical- 
quantum conditional entropy S to obtain 

S{Z A \E) + S(X A \B) > \og 2 d (19) 

for any state p ABE , conjugate observables Z A and X A , 
and d = dim (A). As the "classical" version can easily be 
generalized to nonconjugate observables simply by using 
the general form of the entropic uncertainty relation, it 
becomes reasonable to ask if the "quantum" version of 
the same holds as it does for strictly conjugate observ- 
ables. Numerical evidence supports this claim, and we 
explore this subject in more detail in (53j . 
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APPENDIX A: APPROXIMATE PRIVATE STATE 
PROOFS 

Here we present the proofs of Theorems [2] and [3] 

Proof of Theorem [H Write the purification of ip ABS as 
^abse _ Y,jk\/Pjk\ik) AB \<Pjk) SE for some (normal- 
ized) states \(fjk) ■ Copying the standard basis of Bob's 
state to a blank register |0) s with the unitary C BB 
yields \if, 1 ) ABSEB ' = E ]k VP^\j k ) AB \ k ) B '\^) SE . 
Let ip ABB SE be the state after measuring Z A and 
Z B and consider the related state \ip' 1 ) ABB ' SE = 

J2k ^/Pjk\jj) AB \k) B \ipjk) SE '■ Performing the same mea- 
surement on if}' and computing the trace distance be- 
tween the states, we find 

TrtffBE _ 0AB E] = 2 J2p jk = 2 Pc < 2e z . (Al) 

Observe that \i,' l ) ABB ' SE = C AB \if}) AB ' SE \0) B . Rewrite 

the original state as \ip) AB ' SE = J2 X y/<h\x) A Wx) B ' SE 
for some probability distribution q x and normalized 
states SE ■ Coherently performing the A B s mea- 

surement with unitary U B ST , where the extra system T 
stores the result, we find 

= C AB U B ' ST \ip) AB ' SE \0) B \0) T (A2) 

= £ V^c AB \x) A \Q) B ^lf~ s \^) B ' SE \y) T . (A3) 

xy 
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Define W 2 ) = £ a 
its fidelity with 



Vo^ r>AB\ 



C AB \x) A \0) B J A B 'S\d x ) B ' SE \x) 



\ AB' SET 



IS 



(V>2|V4) = Vl-Pc> VT 



(A4) 



In general, the fidelity between two quantum states is 
defined as F(p,a) := Tr\^/pyft\. Note that \ip 2 ) ABB ' SET 
is a private state with key systems AB and shield B' ST. 
One way to see this is to rewrite \x) in terms of 



kx 



■\kk) AB ^/a^i^) 



B ' SE \x) T . 



Applying the unitary operator W BT = J2kx e~ l9kx P B ® 
P x results in a maximally entangled state l^)" 4 - 8 in the 
AB subsystem. Since W BT is a twisting operator, \ip' 2 ) 
is a private state. 

If we now define \^ 3 ) ABB ' SET = W B ' ST W 2 ) ABB ' SET , 
also a private state since U^ B ST acts only on the shield, 
it follows from unitary invariance of the inner product 
that 



F 



(|V>3 



ABB' SET 



)\ABB'SE\ 



|0) T >VT 



(A5) 



Finally, bound the trace distance with the fidelity, us- 
ing the relation Tr|p— <j\ < y/l — F(p, a) 2 . This implies 
Tv\4) ABE - $'^ BE \ < 2y/e^, and using the triangle in- 
equality we obtain Ti\^ ABE - $ ABE \ < 2(e z + y/e^). □ 

Proof of Theorem Assume Eve holds the purification 
of ip ABS and measure AB to create the key. This yields 

^ABE _ £ (pA % pB^AB E( pA g pBy A simple 

and direct calculation using the triangle inequality gives 
2p c < Ti\ip AB — k ab \. Since ip ABS is an e-approximate 
private state, Tr\$ ABE - k abe \ < 2e. Tracing out E 
does increase this distance, therefore p c < e. 

To prove the analogue statement for the conjugate 
basis, we must define a suitable A BS . For this we 
adapt the corresponding measurement from the purifi- 
cation of k abe , which is a private state. First bound 
the fidelity with the trace distance, using the fact that 



1 - ±Tr|p -tr\< F(p,a) gg. Thus F{$ 



ABE „ABE 



) > 



1 — e. Uhlmann's theorem asserts that for any pu- 
rification \ifj) ABER of •ip ABE , there exists a purifica- 
tion \n) ABER of n ABE such that F($ ABE , n ABE ) = 
F{\xj;) ABER ,\K) ABER ). We can set R = SA'B' 
and take the former purification to be \ip} ABER := 

C AA' C BB'^ABSE^A'^B' for (jAA> and (jBB' unitary 



\A! 



K)™~"** is an exact private state, 

i\ABER ._ (jfAA'(jfBB'l K \ABER 



operations such that C AA \k) A \0) A = \k) A \k) 

By definition \~\ ABER 
and so is \k' / .— <^ w \n, Pi 

Since fidelity is invariant under a unitary trans- 
formation, ' F(\jP) ABSE \0) A '\0) B ' ,\n') ABER ) 

Hence there exists A' BR 



F(\^) aber ,\k) abeh ). 
such that measuring P A ® A' BR on \n') ABER produces 
the uniform distribution h&xy Making the same 
measurement on \ip) ABSE \0) A |0) s results in some 



probability distribution q xy . Observe that measuring 
A' BR on \tp) ABSE \Q} A '\0) B ' is the same as measuring 



y 

A BS 

y 



\A'B' 



\ABSE 



(oo\ AB A ,BR \ooy 

Since a quantum operation cannot decrease the fidelity, 
we immediately have F(\ip) ABSE \0) A ' \0) B ' , \k') aber ) < 



F(q xy , ^S xy ). But 



< 



qx y = 



x^y 



(A6) 

by the concavity of the square root function. Collecting 
the inequalities, we find p c < 2e- e 2 . □ 



APPENDIX B: STATIC HSW THEOREM 

Suppose a source described by the ensemble £ = 
{Pk, fk} distributes classical letters k G {0, 1, ... , d— 1} 
to Alice and quantum states tfk to Bob. Alice would 
like to communicate the value of k to Bob, using as few 
resources as possible. Bob already possesses some infor- 
mation about k in the form of <pk, but in general cannot 
reliably distinguish between all these states. But Bob 
can learn fc if Alice reveals some information about k, a 
"hint" that narrows the set of tpk to some that he can 
reliably distinguish. 

This is the "static" version, first studied in p54l . [551 ] , of 
the standard HSW scenario in which Alice actively en- 
codes the information s she wants to send to Bob using 
the signal ensemble £ [HI, (24[. Typically this problem 
is considered in the asymptotic setting of many identi- 
cal and independent samples from £ . Alice then encodes 
her information into a block of such samples and Bob 
performs a collective measurement, a version of the so- 
called pretty good measurement (PGM) 56], to decode 
the message. Properties of typical sequences and sub- 
spaces are used to prove that the PGM has a low proba- 
bility of error. 

Although in the main text we are concerned with us- 
ing linear functions to generate the side information, in 
this appendix we shall consider the more general method 
of universal hashing [5^ ] (also called 2-universal hash- 
ing), since it is not any more difficult and random linear 
functions are universal. In universal hashing the hint 
is generated by choosing a random / : {0, . . . , d n — 1} — > 
{0, . . . , m— 1} from a family T of hash functions and com- 
puting t = f{x). Each function defines the subset St of 
possible inputs having the same output value; hopefully 
Bob will be able to distinguish between the elements of 
this set. The family is called universal when the prob- 
ability of collision, f{x) — f(y) for x 7^ y, is the same 
as for random functions: Pif[f(x) = f{y)\ < 1/ni. Put 
differently, the probability of any two elements being in- 
cluded in some St is also the same as if Alice chose the 
subsets completely at random, which is random enough 
for the procedure to work. 

In the i.i.d. scenario Alice and Bob share n copies of the 
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state ip AB = X)fe=o Pk^k '® fk i w hich we write as ty AB = 
J2kPkPk ® ■ By trie following static HSW theorem, 
a hint roughly of size log 2 to = n[H(pk) - x{Pk,^k)] = 
n [H(Z A ) - I(Z A :B)] suffices for Bob to learn k with 
exponentially small average probability of error. 

Theorem 7 (Static HSW Theorem for Universal Hash 
Functions). Forn copies of an arbitrary state of the form 

ip AB — Y^kJoPkPk ® Vk > fix S > 0. Then for a universal 
family of hash functions f : {0, . . . ,d n — 1} — > {0, . . . , m— 
1} where log 2 m = n [H(Z A ) ~ I(Z A :B) + AS] there ex- 
ist measurements Af^yg such that 



Pe = ( ^ Tr [A f (k),e <fk]) < 6 • 2" 
Wk / / k 



nS 2 



(Bl) 



Proof. Fix a d > and start by Alice measuring her share 
of the state in the computational basis. With probability 

greater than 1 — e for e = e 2 , the resulting string k 
is typical, meaning k G T s n = {£\2- nH (P^- nS < Pt < 
2 -„H( Pk )+n5} jggj jf kig nQt typical; triC p ro tocol aborts. 

If it does not abort, Alice randomly picks / from a 
universal family J- and sends /(k) to Bob via the pub- 
lic channel. This narrows the set of possible k to the 
subset C/(k) of typical elements of <5>/(k)- Bob will try 
to determine k by making a measurement to distinguish 
the ipe for £ G Cfiy \- For this he uses the PGM defined 
by Eq. (11) in 23], which is represented by the POVM 
elements 



A /(k),* 



tec. 



J2 QQeQj ~QQkQ[ J2 QQ*Q 



tec, 



where Q and Qk are the projections into the typical sub- 
spaces (subspaces spanned by eigenstates with typical 
eigenvalues) of (p® n and tp^, respectively. For a specific 
/ and k, a bound for the average error probability of this 
measurement is given by Eq. (17) of [231 ]. except that we 
do not yet need to average over all codewords, 



p e (k) < 3Tr[^ k (l - Q)] + Tr[<p k (l - 
+ ^ ^[QVkQQe] + ilk, 



Ok)] 



tec. 



where 77k is 1 if k is typical and otherwise. In our case, 
we are interested in the probability of error averaged over 
all / and k, i.e. (P B (k))f.k. To compute it, we need the 
following relations (see [23j for details): 

Tr[^"(l - Q)} < e, (B2) 

(Trbk(l - Qk)]) k < e, (B3) 

Q w < 2 n ^iP- s ^^ +n Vk, (B4) 

<pu< 2 nH{p ^ +nS p® n , (B5) 

ker™ 

||Q£® n Q||oo <2- nS ^ +nS , (B6) 



where HM]^ is the maximal eigenvalue of M. Since 
(<y5k)k = <p® n , we have 

(Pc(k)) k ,/ < 5e+( J2 Tr [^kOO M ])k,/ 

< 5e+ ( £ Pr/[/(/i) = /(k)]Tr[Q^ k Q0 M ])k. 

Straightforward calculations give 

(P,(k)) kf < 5e+ — 2" ff fe)+™5: i P' s (^)+ 2 " 5 Tr[Q^ n Q(p l 

TO 

< g e ^ _ 2 nH (Pi)— nS(<p)+n J2j PiS(<Pi)+3n8 



<8nl 



where for the last step we use the relation 
Tr[Q£®"Q£® n ] < ||0^™g||ooTr[^"] = WQ^Q]^. 
Choosing log 2 m > n [H(pi) - S((p) + ^iP^i^i) + 45] 
completes the proof. □ 



APPENDIX C: UNIVERSAL DISTRIBUTION 
FOR STABILIZERS OF CSS CODES 

The question we answer in this section is how to pick 
a family of CSS codes such that both the Z- and A-type 
stabilizers are universal hash functions. The difficulty is 
that the two stabilizers are not independent; they must 
commute with each other. The Z and A stabilizers can 
be represented by an m z by n matrix M z and the m x by 
n matrix M x , respectively, where each entry is an integer 
modulo d. We have the following 

Lemma 3. Consider the set of all m x + m z by n matri- 
ces R such that each row is orthogonal to the others and 
where each entry is an integer modulo a prime number d. 
Let M z be the first m z rows of R, and M x be the last m x 
rows of R. Then the linear functions associated with M z 
and M x are both universal. 

Proof. Let Yi be the zth row of R. All possible strings 
have the same probability to be ri. Therefore, for any 
distinct n dit-strings k and k', Pr^[ri • k = ri • k'] = 4. 
This is not generally true if d is not prime. Now we 
proceed by induction. Assume that we have a set Rt of 
strings 1*1, r 2 , ... and tg such that Pr/j[ri - k = r< -k' | 1 < 
i < £] < -he- Conditional on R?, the next row r^ + i is 
uniformly distributed over the space of strings orthogonal 
to the set Rg. If rj ■ k 7^ i\, • k' for some 1 < j < £, then 
Pr[r; • k = r l ■ k' | 1 < i < £ + 1] = 0. So we can 
consider only the case in which • k = • k' for all 
1 < i < I. In that situation, k — k' can be expended in 
any basis of the space orthogonal to Ri (the coefficients 
being integers from to d— 1). Pick one such basis. 17+1 
is uniformly distributed over all strings that are spanned 
by this basis, therefore Pr R \ Re [r e+i ■ k = r e+1 ■ k'] = ±, 
where we assumed r, • k = • k' for all 1 < i < £. 
Including all possible cases, we deduce that Pr#[ri • k = 
rvk' I 1 <*<*+!] <^r. 
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Since there is no distinction between the order of the 
rows of R, we conclude that any function associated with 
a matrix composed of a subset of rows of R is universal. 

□ 



APPENDIX D: ON THE ONE-SHOT 
DISTILLATION THEOREM 

Parameter estimation aside, Theorem |4] is stronger 
than the security proof of Constructing an exam- 

ple where this is the case is not too difficult and we will 
simply give an example in which the optimal A^ s for 
guessing Alice's conjugate basis measurement is not in- 
dependent of (3. Consider two copies (i.e. n = 2) of the 
state 

W ABSE = \m A \o) B + \i) A \i) B Mo) s \o) E 

+ ^(|O) A |O) B -|1)' 4 |1) S )|0 1 ) S |1) B , 

where \4>o) and \4>i) are two different non-orthogonal 
states. Bob can guess Alice's key without an error by 
measuring his state in the computational basis. His abil- 
ity to predict the conjugate basis will depend on the over- 
lap of |<^o) and \4>%). Assuming this is not nearly maxi- 
mal, Alice will have to provide Bob with some additional 
information, which in this case would be the result of 
measuring some set of stabilizers. Measuring two stabi- 
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